By Michael Goodyear
The fingerprint scanner is perhaps one of the best known security features in the world. In spy movies, no safe or villain’s lair is complete with one. But they aren’t foolproof: in “Diamonds Are Forever,” James Bond uses a fake fingerprint to get past such a scanner. In the nearly 50 years since that movie was released, fingerprint scanners have become increasingly ubiquitous and as a common protection mechanism for smartphones, they are the sealed gate to your data. But that gate is not as secure as we might think, and it no longer takes a legendary spy like 007 to crack it open.
A recent study by researchers at New York University and Michigan State University brought the technological risks of fingerprint scanning to light. The researchers used computer simulations to create “MasterPrints,” real fingerprints from databases or synthetically created ones that can spoof one of the stored fingerprints in a scanner’s database to unlock a phone. Although the study did not use real phones, instead using cropped images on the commercial verification software Verifinger, the findings were still alarming. The researchers’ generated prints could match the real ones up to 65% of the time. Even if the percentage with phones was much lower, it would still be a considerable risk.
One of the greatest weaknesses of your phone’s fingerprint scanning technology is that it doesn’t actually take a full fingerprint scan. Those would be nearly impossible to falsify. But your iPhone or Android phone only scan partial fingerprints, a much smaller area with fewer unique features. This risk is exacerbated by the fact that your phone typically takes eight to ten scans, giving the fingerprint scanner a database of eight to ten fingerprints it can use. Now hackers have eight to ten chances to spoof your fingerprint rather than just one. If you give register other people’s fingerprints on your phone (your spouse or children perhaps), it increased the risk again. It’s like if you have a lockbox with several different keys; the greater the number of keys, the greater risk that someone will get their hands on one or be able to copy one.
Professor Stephanie Schuckers, Director of the Center for Identification Technology Research at Clarkson University, noted that because the study didn’t involve actual phones, the takeaways were limited.
But while a full study of Apple and Android fingerprint recognition programs will be necessary to uncover the exact risk of falsifying fingerprints, any risk is too high. Our phones hold a world of data about us. By unlocking your phone, someone wouldn’t just be able to make a call, but would know your deepest secrets. Your contacts, your intimate texts and emails, your interests, and even your health data, all stored on your phone with only fingerprint recognition to protect them, would be at risk.
Perhaps the most alarming consequence of this security vulnerability is what it means for your finances. Services such as Apple Pay and Android Pay allow you to make purchases with the swipe of your finger. Banks are increasingly starting to have fingerprint recognition for signing into your app (and all of your financial data). Large banking institutions such as Chase and Bank of America, as well as credit card companies such as Capital One, are now just a swipe away for you…and your hacker.
When someone’s information gets stolen due to a false fingerprint, who will be liable? The phone developer and financial institution, by having used falsifiable fingerprint tracking technology, would be at risk of being held responsible. In the short term, however, it is the user who will suffer. Their personal and financial information will be compromised, leading to countless hours trying to secure everything again, not to permanent damage that could be done by your data getting out.
Fingerprint technology is not the only option (written passwords are usually still offered), so customers do have a choice of whether or not to trust that the fingerprint technology will protect their data. But since fingerprints are unique, fingerprint scanners have been seen as the safe choice, a much more secure method than a four number password.
Reporters have actually questioned the security of fingerprint scanning systems for years. But while previous fears were often just lists of everything that could go wrong, the new NYU and MSU study has quantifiable data to prove that fingerprints can be spoofed.
Technology has advanced so much that you can do practically anything from your smartphone. But we have to remember that with progress come downsides. When all that stands between your sensitive personal information and a thief is a fingerprint, you need the technology to be ironclad. James Bond may have had noble aims in tricking a fingerprint scanner, but it is unlikely that data hackers will have those same scruples. It may be easy to flip your finger and open your phone and all of your apps, but ease is not worth the risk of losing your information to modern day spies.
Michael Goodyear, who has a BA in History and Near Eastern Languages and Civilizations from the University of Chicago, is part of the ISLAT team.